Claims 



What is claimed is: 



1. 

(a) 

(b) 



(c) 
(d) 



A method for 



providing network security features, comprising the steps of: 



identifying a p lurality of network objects; 

retrieving rule pets associated with at least one of the identified network 
objects, the rulb sets including a plurality of policy rules that govern actions 
relating to the identified network objects; 

reconciling overlapping policy rules of the rule sets amongst the network 
objects; and 

executing the reconciled rule sets. 



The method as recited in claim 1 , wherein each policy rule of the reconciled 
rule sets includes a rule action selected from the group consisting of: 
permitting an action relating to the identified network objects, denying an 
action relating to t ie identified network objects, and conditionally denying an 
action relating to the identified network objects. 



The method as recited in claim 2, wherein an action relating to the identified 
network objects is permitted if no policy rules deny the action, at least one 
policy rule conditionally denies the action, and at least one policy rule 
permits the action. 



The method as recited in claim 2, wherein the policy rules denying the action 
are evaluated first, the policy rules conditionally denying the action are 
evaluated second, ancj the policy rules permitting the action are evaluated 
third. 
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1 5. The mert od as recited in claim 1 , wherein an action relating to the identified 

2 network c bjects is denied if none of the policy rules permit the action. 

1 6. The method as recited in claim 1 , wherein an action relating to the identified 

2 network o yects is denied if none of the policy rules match a request for the 

3 action. 



1 7. The method as recited in claim 1, wherein executing the reconciled rule sets 

2 includes combining the rule sets into a single rule set. 



01 



u = 



1 8. The method as recited in claim 1 , further comprising removing duplicate 

2 policy rules lof the rule sets. 

1 9. The method as recited in claim 1 , further comprising notifying a user of 

2 conflicting policy rules of the rule sets. 



Us- 



U1 



1 10. The method as recited in claim 1 , wherein the rule sets are associated with a 

2 particular network object. 

1 11. The method as recited in claim 1 , wherein a protocol configuration enforced 

2 by a related proxy is selected from a hierarchal list if an action is permitted 

3 by more than oris rule. 



1 12. 
2 



3 
4 
5 
6 
7 



(a) 
(b) 



(c) 



A computer program product for providing network security features, 
comprising: 



computer code foi 



computer code for retrieving rule sets associated with at least one of the 



identified network 
that govern action: 



identifying a plurality of network objects; 



objects, the rule sets including a plurality of policy rules 
relating to the identified network objects; 
computer code for reconciling overlapping policy rules of the rule sets 
amongst the network objects; and 
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(d) computer cjpde for executing the reconciled rule sets. 



13. The computer program product as recited in claim 12, wherein each policy 
rule of the reconciled rule sets includes a rule action selected from the group 
consisting o ? : permitting an action relating to the identified network objects, 
denying an z ction relating to the identified network objects, and conditionally 
denying an action relating to the identified network objects. 

14. The computer program product as recited in claim 13, wherein an action 
relating to th<; identified network objects is permitted if no policy rules deny 
the action, at least one policy rule conditionally denies the action, and at least 
one policy nil s permits the action. 

15. The computer program product as recited in claim 13, wherein the policy 
rules denying flhe action are evaluated first, the policy rules conditionally 
denying the action are evaluated second, and the policy rules permitting the 
action are evaluated third. 



1 6. The computer program product as recited in claim 1 2, wherein an action 

relating to the identified network objects is denied if none of the policy rules 
permit the action. 



17. The computer program product as recited in claim 1 2, wherein an action 

relating to the identified network objects is denied if none of the policy rules 
match a request for the action. 



1 8 . The computer pro; 
reconciled rule sets 



am product as recited in claim 12, wherein executing the 
includes combining the rule sets into a single rule set. 



19. The computer program product as recited in claim 12, further comprising 
computer code for removing duplicate policy rules of the rule sets. 
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20. The computer prdgram product as recited in claim 12, further comprising 

computer code for notifying a user of conflicting policy rules of the rule sets. 



21. 



The computer program 
are associated with 



22. 



product as recited in claim 12, wherein the rule sets 
a particular network object. 



The computer program product as recited in claim 12, wherein a protocol 
configuration enforced by a related proxy is selected from a hierarchal list if 
an action is permitted by more than one rule. 





l 


23. 


A rule based netw( rk security system for providing network security 




2 




features, comprising: 


f*i*3 

01 


3 


(a) 


logic for identifying a plurality of network objects; 


: r, 

yj 


4 


(b) 


logic for retrieving rule sets associated with at least one of the identified 


m 


5 




network objects, the^rule sets including a plurality of policy rules that govern 
actions relating to the identified network objects; 


: . S 

y* 
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(c) 


logic for reconciling^ overlapping policy rules of the rule sets amongst the 




8 




network objects; and 


c 


9 


(d) 


logic for executing the reconciled rule sets. 



1 
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3 
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24. 
(a) 

(b) 
(c) 



A method for establishing network security, comprising the steps of: 

i 

providing a plurality of network objects of a network and a plurality of rule 



sets; and 



associating the network objects with the rule sets; 



wherein the rule sets include a plurality of policy rules that govern actions 
relating to the identified network objects during operation of the network. 



1 25. 
2 



The method as recited in claim 24, wherein a user is allowed to associate the 



:ited in 



network objects with the rule sets via a graphical user interface. 
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27. 



28. 



29. 
(a) 

(b) 
(c) 



30. 



31. 
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26. The method as recited i l claim 24, wherein each policy rule of the reconciled 
rule sets includes a rule action selected from the group consisting of: 
permitting an action rel ating to the identified network objects, denying an 
action relating to the id sntified network objects, and conditionally denying an 
action relating to the identified network objects. 



objects 



The method as recited 
identified network 
least one policy rule 
rule permits the action 



in claim 26, wherein an action relating to the 

is permitted if no policy rules deny the action, at 
conditionally denies the action, and at least one policy 



The method as recited 
identified network 
action. 



n claim 24, wherein an action relating to the 
objelcts is denied if none of the policy rules permit the 



piodi 



A computer program 
computer code for 
a plurality of rule sets; 
computer code for associating 
wherein the rule sets include 
relating to the identifiec 



The computer program [product 
allowed to associate the 
user interface. 



The computer program 
rule of the reconciled 



uct for establishing network security, comprising: 
providing a plurality of network objects of a network and 
ind 

the network objects with the rule sets; 
a plurality of policy rules that govern actions 
network objects during operation of the network. 



as recited in claim 29, wherein a user is 
network objects with the rule sets via a graphical 



product as recited in claim 29, wherein each policy 
le sets includes a rule action selected from the group 



7 

consisting of: permitti ig an action relating to the identified network objects, 
denying an action relating to the identified network objects, and conditionally 
denying an action relating to the identified network objects. 
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32. The computer )rogram product as recited in claim 3 1 , wherein an action 

relating to the identified network objects is permitted if no policy rules deny 
the action, at k ast one policy rule conditionally denies the action, and at least 
one policy rule) permits the action. 



33. The computer 
relating to the 
permit the action 



program product as recited in claim 29, wherein an action 
identified network objects is denied if none of the policy rules 
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